{"id":7472,"date":"2025-10-07T10:04:28","date_gmt":"2025-10-07T10:04:28","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/10\/07\/cl0p-ransomware-actively-exploiting-oracle-e-business-suite-0-day-vulnerability-in-the-wild\/"},"modified":"2025-10-07T10:04:28","modified_gmt":"2025-10-07T10:04:28","slug":"cl0p-ransomware-actively-exploiting-oracle-e-business-suite-0-day-vulnerability-in-the-wild","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/10\/07\/cl0p-ransomware-actively-exploiting-oracle-e-business-suite-0-day-vulnerability-in-the-wild\/","title":{"rendered":"Cl0p Ransomware Actively Exploiting Oracle E-Business Suite 0-Day Vulnerability in the Wild"},"content":{"rendered":"

Cl0p Ransomware Actively Exploiting Oracle E-Business Suite 0-Day Vulnerability in the Wild
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Oracle has issued an emergency security alert for a critical zero-day vulnerability (CVE-2025-61882)<\/a> in its E-Business Suite after the notorious Cl0p ransomware group began extorting customers who failed to patch their systems.\u00a0<\/p>\n

The vulnerability, carrying a maximum CVSS score of 9.8, affects the Business Intelligence Publisher (BI Publisher) Integration component and enables remote code execution without authentication.<\/p>\n

The vulnerability CVE-2025-61882 represents a significant threat to Oracle E-Business Suite<\/a> deployments worldwide. Security researchers have confirmed that public proof-of-concept exploits are now available, dramatically increasing the risk for unpatched systems.\u00a0<\/p>\n

The flaw affects Oracle EBS versions 12.2.3 through 12.2.14, requiring organizations to implement Oracle\u2019s October 2023 CPU as a prerequisite before applying the latest security patches.<\/p>\n

Tenable investigation revealed that Cl0p ransomware<\/a> operators have been systematically targeting Oracle E-Business Suite installations, leveraging this zero-day vulnerability to gain unauthorized access to enterprise systems.\u00a0<\/p>\n

Cl0p Exploiting Unpatched Oracle EBS Vulnerability<\/strong><\/h2>\n

The attack campaign came to light when multiple Oracle customers received extortion emails from the Cl0p group, claiming to have successfully infiltrated their EBS environments and stolen sensitive business data.<\/p>\n

Tenable stated that<\/a> the Oracle Concurrent Processing component vulnerability allows attackers to execute arbitrary code remotely without requiring authentication credentials, making it an attractive target for cybercriminals.\u00a0<\/p>\n

Security experts emphasize that the combination of widespread Oracle EBS deployment in enterprise environments and the vulnerability\u2019s high severity score creates a perfect storm for large-scale attacks.<\/p>\n

The Cl0p ransomware group, also known as TA505 and FIN11, has established a pattern of targeting zero-day vulnerabilities in enterprise file transfer and business application software.\u00a0<\/p>\n

Previous campaigns successfully exploited vulnerabilities in Accellion, MOVEit <\/a>Transfer<\/a>, GoAnywhere, and Cleo platforms, demonstrating the group\u2019s sophisticated capability to identify and weaponize high-impact security flaws.<\/p>\n

\n\n\n\n\n\n\n\n
Risk Factors<\/strong><\/td>\nDetails<\/strong><\/td>\n<\/tr>\n
Affected Products<\/td>\nOracle E-Business Suite, Business Intelligence Publisher (BI Publisher) Integration 12.2.3 through 12.2.14<\/td>\n<\/tr>\n
Impact<\/td>\nRemote Code Execution<\/td>\n<\/tr>\n
Exploit Prerequisites<\/td>\nNetwork access to Oracle EBS instance, No authentication required<\/td>\n<\/tr>\n
CVSS 3.1 Score<\/td>\n9.8 (Critical)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Mitigations<\/strong><\/h2>\n

Oracle\u2019s security advisory includes multiple indicators of compromise (IOCs) to help organizations detect potential intrusions.\u00a0<\/p>\n

The company has released patches addressing not only CVE-2025-61882 but also nine additional vulnerabilities from the July 2025 Critical Patch Update<\/a> that may have been exploited in conjunction with the zero-day flaw.<\/p>\n

Security teams must prioritize immediate patching of affected Oracle EBS systems, particularly given the availability of public exploits.\u00a0<\/p>\n

Organizations should also implement network monitoring for suspicious activity targeting the BI Publisher Integration component and review access logs for unauthorized administrative actions.\u00a0<\/p>\n

The incident underscores the critical importance of maintaining current patch levels and implementing defense-in-depth strategies to protect against zero-day exploitation campaigns.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post Cl0p Ransomware Actively Exploiting Oracle E-Business Suite 0-Day Vulnerability in the Wild<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Florence Nightingale
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Cl0p Ransomware Actively Exploiting Oracle E-Business Suite 0-Day Vulnerability in the Wild Oracle has issued an emergency security alert for a critical zero-day vulnerability (CVE-2025-61882) in its E-Business Suite after the notorious Cl0p ransomware group began extorting customers who failed to patch their systems.\u00a0 The vulnerability, carrying a maximum CVSS score of 9.8, affects the […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1636,129,63,131,648],"tags":[130],"class_list":["post-7472","post","type-post","status-publish","format-standard","hentry","category-cyber-attack-news","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7472"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=7472"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7472\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=7472"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=7472"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=7472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}